Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

Targeted Attacks Against Sensitive US Networks on the Rise (April 10, 2008)

BusinessWeek takes a look at the growing number of targeted attacks against US government and private industry systems. The problem is serious enough to have prompted the Cyber initiative, signed by President Bush in January, and reportedly a classified operation known as Byzantine Foothold, aimed at discovering the source of the attacks and protecting systems from attacks in the future. The Office of the National Intelligence Director responded to questions from BusinessWeek in writing, saying, in part, that "computer intrusions have been successful against a wide range of government and corporate networks across the critical infrastructure and defense industrial base." A Chinese government spokesperson denies the allegations that the attacks came from China, even though considerable evidence that shows the origin of the attacks exists. The article also goes into some detail regarding a targeted email sent to a Booz-Allen executive that contained malware known as Poison Ivy, a remote administration tool that is capable of logging keystrokes. Another piece of malware that accompanied the email is designed to disable security measures. -http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm Chinese Embassy response to written questions from BusinessWeek: -http://www.businessweek.com/magazine/content/08_16/b4080032243361.htm[Editor's Note (Schultz): These threats are indeed extremely serious, so serious that conventional security measures do not appear to be capable of addressing them. Entirely new strategies for dealing with them need to be created and considered. ]

Members of European Parliament (MEPs) have voted against a plan to cut off the Internet access of habitual illegal filesharers. In a close vote, MEPs approved an amendment to a report on Europe's Cultural industries that says banning people from the Internet flies in the face of "civil liberties and human rights." Several MEPs have expressed the opinion that while it is appropriate to punish "commercially driven Internet piracy," punishing individuals by cutting off their Internet access "is an inappropriate response." The International Federation of the Phonographic Industry, which favored a three-strikes-and-you're-out approach, has called the amendment "badly drafted." The report is not legally binding. -http://euobserver.com/9/25959-http://news.bbc.co.uk/2/hi/technology/7342135.stm[Editor's Note (Northcutt): You have to give them points for creativity, but I wonder how you could ever enforce such a law? I guess we will find out; it appears the French are going to give this idea a go: -http://news.bbc.co.uk/2/hi/technology/7110024.stm]********************** Sponsored Links: *******************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Bank Call Center Employee Jailed for Data Theft (April 14, 2008)

A Royal Bank of Scotland call center employee has been sentenced to one year in prison for stealing customers' account information that was later used to make fraudulent transactions totaling GBP 33,585 (US $66,655). Asman Alyas, who provided the information to others, pleaded guilty to conspiracy to commit fraud. A spokesperson for the National Consumer Council said that banks should disclose information about data breaches so that customers can make informed decisions. -http://www.manchestereveningnews.co.uk/news/s/1045113_call_centre_crook_helped_steal_33000[Editor's Note (Ranum): Eventually, all interesting computer security problems boil down to trust. How many banks do you think would allow call center employees access to the bank's vaults? When are organizations that hold significant databases going to realize that there is no difference? (Weatherford): Not that it would have prevented this incident but it is also good justification to begin conducting background checks on ALL personnel who handle sensitive and private information. To use an over-used word, it's called due diligence. ]

Nine-Year Sentence for Data Theft and Fraud (April 14, 2008)

Mario Simbaqueba Bonilla has been sentenced to nine years in prison for his role in a cyber crime scheme that resulted in losses of US $1.4 million. Simbaqueba Bonilla pleaded guilty earlier this year to charges of conspiracy, access device fraud, and aggravated identity theft. The scheme involved placing keystroke-logging software on computers in hotel business centers and Internet cafes. Bonilla Simbaqueba and an accomplice used the information gathered to siphon money from various bank, payroll, brokerage and other online accounts. He was also ordered to pay US $347,000 in restitution and will serve three years of supervised release upon completion of his prison sentence. -http://www.vnunet.com/vnunet/news/2214210/colombian-fraudster-jailed-nine[Editor's Note (Schmidt): At which point will ALL hotels, libraries and business centers restrict people from installing software on the common use machines? I have seen some major hotel chains have some common use computers "secured" but it varies from city to city and who they hire to manage these computers. (Weatherford and Paller): One of the longest sentences we have seen; perhaps the beginning of a welcome trend. ]

A former employee at New York-Presbyterian Hospital/Weill Cornell Medical Center allegedly stole and sold the personal information of nearly 50,000 patients. Dwight McPherson was arrested and charged with conspiracy involving computer fraud, identity document fraud, transmission of stolen property, and sale of stolen property. The compromised data include names and Social Security numbers (SSNs), but no medical information. The hospital is attempting to notify the patients affected by the breach. -http://www.nytimes.com/2008/04/13/nyregion/13arraign.html-http://www.news24.com/News24/World/News/0,,2-10-1462_2304983,00.html[Editor's Note (Schmidt): This is happening with way too much frequency, if there is ever a reason for enhanced sentencing this would be one of the reasons, bad enough someone is in the hospital but to victimize someone in that situation is about as low as you can get. ]

A librarian's attentiveness resulted in the arrest of a man who allegedly used stolen information to make Internet purchases through computers at the library. The Collinsville (IL) Public Library librarian became suspicious when she noticed that the man used a variety of names and credit card numbers to buy items over the Internet. Jason David Lingo admitted to buying credit card numbers late last year and using 20 of those to make fraudulent purchases through library computers. Lingo has pleaded guilty to charges of possession of unauthorized devices, mail fraud, and aggravated identity theft. His sentencing is scheduled for July 10. -http://www.bnd.com/breaking_news/story/307953.html[Editor's Note (Northcutt): The story mentions that internet fraud often involves delivery to an empty house or lot. So, if you know a house in your neighborhood is vacant and you see FedEx pull up for a delivery, give your local police department a call. In this case Mr. Lingo was using empty lots, and mail carriers should have known better. Here are two good links, the second one requires digging down a bit, but if you scroll down to post number 7, you will get some advice from an obviously saavy retailer: -http://www.ebizinsider.com/2008/03/14/e-commerce-fraud-sucks-hints-to-reduce-the-rot/-http://mybroadband.co.za/vb/showthread.php?t=79265]

POLICY & LEGISLATION

Australia's privacy commissioner Karen Curtis plans to issue draft guidelines regarding data breach notification to help companies address the issue while the details of the Privacy Act revision continue to be hammered out. Government agencies and businesses have contacted the privacy commissioner's office with questions about handling data security breaches. The guidelines will be voluntary; commentary on the guidelines will be accepted through June 16, 2008. The Australian Law Reform Commission's review of the 20-year-old Privacy Act is expected later this year, and it may be some time before new laws are enacted. -http://www.australianit.news.com.au/story/0,24897,23539443-15306,00.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

High School Students Allegedly Accessed Employee Data (April 12, 2008)

For the third time in the last month, high school students in the Buffalo, New York area are believed to have gained unauthorized access to school computer systems. The most recent incident involves several current and former Williamsville North High School students who allegedly copied files that contain school employees' personal information, including SSNs. The other incidents occurred in the Grand Island and Seneca districts. -http://www.buffalonews.com/home/story/321395.html

STATISTICS, STUDIES & SURVEYS

Largest Botnets Control More than One Million Machines (April 9, 2008)

Research presented at the RSA conference estimates that the largest eleven botnets cumulatively control more than one million machines and are capable of sending out 100 billion spam emails each day. The largest botnet is believed to be one known as Srizbi, controlling an estimated 315,000 machines; Bobax claims an estimated 185,000 machines, and Storm comprises about 85,000 compromised machines. The research also aims to clarify which botnets are which, as some recent reports have said that Kraken is the largest botnet, comprising more than 400,000 machines, but Kraken is believed to be another name for Bobax. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9076278&source=NLT_PM&nlid=8

UPCOMING SANS WEBCAST SCHEDULE

Sponsored By: StillSecure -http://www.stillsecure.com/v This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

This Webcast discusses how logs and event correlation should be managed for compliance purposes and how auditors, working closely with security and operations teams, can help develop processes that leverage logging and event data to measure the effectiveness of their controls.

Cyber security is all about reducing risk to critical assets. Protecting and controlling data flow is a critical part of an organizations security arsenal. Therefore data loss prevention would seem like a perfect solution for reducing risk. However, just because a product is called a data loss prevention solution, does not necessarily mean that it properly reduces risk. Before purchasing or deploying a solution it is critical to understand the key risks you are trying to reduce and make sure the solution is the most cost effective way to reduce risk. This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!

Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/